Privacy Policy

GrydBase is a business operations platform for contractors, roofers, service businesses, and similar trades. It is owned and operated by Caleb Media Studio, LLC ("we", "us", "our"), based in Central Florida. This Privacy Policy explains what data we collect, how we use it, and what rights you have over it.

"You" means anyone who creates an account, uses the platform, or accesses a client portal created through GrydBase.

Account data: When you register, we collect your name, email address, and authentication credentials. If you sign in with Google, we receive your name and email from Google but never your Google password.

Workspace and business data: Data you enter into GrydBase — customer contacts, job records, notes, invoices, contracts, and site content — is stored on your behalf. You own this data.

Email content: When you use GrydBase's business email feature, inbound and outbound message content is stored to display in your inbox and linked to CRM records. Email delivery is handled by a third-party provider (see Section 5).

Payment data: We do not store credit card numbers or raw payment credentials. Payment details are handled entirely by our payment processor. We receive transaction IDs, billing amounts, and subscription status via secure webhook events.

Technical data: We collect IP addresses, browser type, device information, and session tokens for security, authentication, and platform reliability purposes. This data is not sold or used for advertising.

AI interaction data: When you use AI features, your prompt and relevant workspace context (contact records, site content, etc.) are sent to our AI model provider to generate a response. See Section 6 for details.

We use your data to:

• Provide, maintain, and improve the GrydBase platform
• Authenticate your identity and secure your workspace
• Process payments and manage subscription billing
• Send transactional emails (invoices, receipts, portal invites, system alerts)
• Enable AI-powered features when you initiate them
• Comply with legal obligations and respond to valid legal requests
• Investigate and prevent fraud, abuse, and security incidents

We do not sell your personal data. We do not use your data to serve advertising.

GrydBase uses cookies and browser storage to maintain your authenticated session across page loads. These are functional cookies required for the platform to work — they are not used for tracking or advertising. Session tokens expire automatically and are rotated on each sign-in.

If you are a GrydBase Agency subscriber using white-label configuration, session cookies are scoped to your custom domain rather than grydbase.com.

GrydBase relies on third-party infrastructure providers to operate. These providers handle specific functions including database hosting and authentication, application hosting and delivery, payment processing, transactional and business email delivery, AI model inference, domain registration, and DNS management.

Each provider receives only the data necessary to perform its function. We do not sell data to third parties, and none of our providers are authorized to use your data for their own marketing purposes.

All primary subprocessors we rely on maintain active SOC 2 Type 2 compliance — an independent third-party audit that verifies their security, availability, and confidentiality controls are operating effectively on an ongoing basis.

GrydBase uses an AI model provider to power features such as email drafting, site content generation, and workflow assistance. When you initiate an AI feature:

• Your prompt and relevant workspace context (e.g., a contact's name or a site section) are transmitted to our AI provider to generate a response
• Our AI provider does not use API-submitted data to train its models
• AI requests are never made automatically — they are always user-initiated
• AI context is limited to what is directly relevant to your specific request

We do not send payment data, authentication credentials, or full email inboxes to AI providers. Each AI request consumes actions from your workspace balance at the time of the request. AI-generated content is stored in your workspace only if you choose to save it.

We retain your data for as long as your account is active and your subscription is in good standing.

• Workspace data (contacts, jobs, invoices, site content) — retained while your account is active; deleted within 30 days of account closure
• Billing and payment records — retained for 7 years as required by applicable tax and accounting law
• Email delivery logs — retained for 90 days, then automatically purged
• IP and security logs — retained for 30 days, then automatically purged
• Consent records (ToS and Privacy Policy acceptance timestamps) — retained for the life of the account as a legal record

If you cancel your subscription, your workspace data remains accessible for 30 days so you can export what you need. After 30 days, data is permanently deleted from our systems except where legal retention requirements apply.

You have the right to export your data at any time while your account is active. The following exports are available from your workspace settings:

• Contacts and CRM records — CSV export
• Invoices and contracts — PDF download per record
• Email messages — MBOX/EML format
• DNS records — Zone file export
• Site content — JSON export of page blocks

For a full bulk export of all workspace data, email support@grydbase.com with the subject "Data Export Request." We will deliver a complete archive within 14 business days.

You have the right to request deletion of your account and all associated personal data. To submit a deletion request, email support@grydbase.com with the subject “Account Deletion Request” from the email address associated with your account.

Upon receiving a verified deletion request, we will:

• Confirm receipt within 5 business days
• Permanently delete your workspace data — contacts, jobs, invoices, site content, email messages, and files — within 30 days
• Deactivate your account and remove your personal profile from our active systems
• Notify you by email once deletion is complete

What we are required to retain: Billing and payment records are retained for 7 years as required by applicable tax law. Consent records (your agreement to these terms) are retained as a legal record. These records are stored securely, are not used for any operational purpose, and are purged once the legal retention period expires.

Domain registrations are governed by ICANN policy and cannot be deleted mid-registration period. They expire naturally at the end of their registration term unless renewed.

Agency plan subscribers may configure GrydBase with custom branding. When white-label is enabled, your customers interact with your branded interface and may not be aware they are using GrydBase. In this case, you are acting as a data controller for your customers' data, and we are acting as your data processor.

You are responsible for providing your own privacy notice to your customers explaining how their data is collected and used when they access your white-labeled portal. Our Privacy Policy governs the relationship between you and us, not between you and your end customers.

We design GrydBase for the highest possible reliability. However, GrydBase is built on top of third-party infrastructure — including Vercel (hosting), Supabase database hosting, application delivery, payments, and email delivery. The availability of these services is outside our direct control.

In the event of an outage or service degradation, we will work in good faith to restore full functionality as quickly as possible and communicate status updates through your workspace or registered email address.

We do not guarantee uninterrupted access to GrydBase and are not liable for data delays or loss of access caused by third-party infrastructure failures.

We use industry-standard security practices to protect your data, including:

• TLS encryption in transit for all data between your browser and our servers
• Encrypted storage for sensitive values (API keys, webhook secrets)
• Row-level security enforced at the database layer to isolate tenant data
• Session tokens rotated on sign-in and invalidated on sign-out
• Service role credentials never exposed to client-side code

No system is perfectly secure. If you discover a vulnerability, please report it responsibly to support@grydbase.com.

GrydBase is intended for use by adults operating or working for businesses. We do not intentionally collect personal information from anyone under the age of 13, and we do not knowingly collect data from anyone under 18 years of age. If you believe a minor has provided us personal data, contact us immediately at support@grydbase.com and we will delete it promptly.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by displaying a notice in your workspace at least 14 days before the changes take effect. Continued use of GrydBase after that date constitutes acceptance of the updated policy.

For questions, export requests, deletion requests, or privacy concerns, contact us at: support@grydbase.com

Caleb Media Studio, LLC · Central Florida, United States